PV204: Disk encryption Laboratory of Security and Applied Cryptography (LaBAK) May 12, 2014, [email protected] Introduction Confidentiality and authenticity of user files can be provided by encryption on several layers. Application can implement encryption directly, examples are PGP or ZIP with password. Encryption of files (inside filesystem or through independent layer like Linux eCryptfs) provides more generic solution. But some parts (like filesystem metadata) are still unencrypted. However this solution provides easy way how to store data encrypted with private key per user. (Every user can have own directory encrypted by own key.) The lower layer is the encryption of the whole disk called Full Disk Encryption. FDE is completely transparent to the user (user does not need to choose what to encrypt because the whole disk is encrypted). The disadvantage is that everyone who knows the password can read the whole disk, so for encryption private to user it must be combined with another layer of encryption. The primary use for FDE is prevention to data loss in power-down mode (stolen laptop). Once the disk is unlocked, the main encryption key remains in system, usually in system RAM. Another disadvantage of the FDE is that it cannot guarantee integrity of data. Because the encryption is fully transparent, the ciphertext and plaintext device are of the same size, there is no space to store any integrity information. This allows various attacks by direct modification of ciphertext. The FDE works on the sector level, as the same as the block device. The atomic units for the encrypted device are sectors. Sectors are encrypted independently with symmetric cipher. Because size of symmetric cipher block is smaller than size of sector, an encryption mode have to be used. It is crucial that the same data in different sectors must produce different ciphertext pattern. This is achieved by a per-sector tweak (IV, Initialization Vector) which is usually derived from logical sector offset (sector number). Combination of properly used IV and encryption mode is critical for the security of the FDE system. Figure 1. shows example of wrongly used mode for encryption (here ECB, Electronic Codebook, or in other words encryption without sector tweak and without feedback). Another problems could appear with CBC mode [CBC] and predictable IV. Then attacker can use predictability of IV and create watermarks and detect them directly from ciphertext (to prove existence of some data). Today, the most used encryption mode for disks is XTS [XTS]. This mode is constructed such way, that it can safely use predictable sector number as IV. Figure 1. Result of statistical analysis on image encrypted in ECB mode The FDE can be implemented on hardware layer (disks encrypted internally, encryption inside controller chipset) or in software [FDE]. Software implementation is for example Bitlocker for Windows systems, dm-crypt in Linux, FileVault on MacOS or TrueCrypt as a multiplatform solution. There are many other tools implementing this functionality [COMP]. In the following exercises we will use two software FDE tools. The first one is LUKS/dm-crypt [LUKS] which is primary solution for Linux based systems and TrueCrypt [TC]. Both tools allows a user to create a virtual encrypted block device within a partition or a regular file. This virtual disk can be formatted as if it was a physical device and mounted. TrueCrypt also supports trivial steganography and allows to create a hidden virtual volume within another volume. References [FDE] Disk encryption http://en.wikipedia.org/wiki/Disk_encryption [COMP] Comparison of disk encryption software http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software [CBC] Cipher Block Chaining mode http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher-block_chaining_.28CBC.29 [XTS] IEEE P1619™/D16 Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices (AES-XTS) http://grouper.ieee.org/groups/1619/email/pdf00086.pdf [LUKS] Linux Unified Key Setup / cryptsetup https://code.google.com/p/cryptsetup/ [TC] TrueCrypt, Free open-source disk encryption software http://www.truecrypt.org/ Exercises During the exercises, we will use prepared Virtual Machine PV204 (Ubuntu 14.04). VM can be run in Oracle VirtualBox. The virtual machine is preinstalled with LUKS disk encryption of the whole system, cryptsetup 1.6 (which allows to map TrueCrypt devices directly) and TrueCrypt 7.1a. For analysis of raw data you can use okteta hexa editor. For experiments you can use /dev/sdb disk, which is 256MB virtual device unused for system. User name: pv204 Password (also unlocking password for disk): pv204 Note: User pv204 is a member of group admin and can run superuser commands via sudo without need of entering password, e.g. sudo ls /root. Exercise I: Hardware keylogger use "If you let your machine out of your sight, it’s no longer your machine." In a context of disk encryption specialized hw device can be used to attack entered passphrase (BIOS password, disk encryption unlocking passphrase). Hardware keylogger is a device which intercepts data entered through keyboard and store it internally for later analysis. The device can also transmit data using wireless network or another hidden channel. If properly masked (e.g. in keyboard controller) it is very hard to reveal it by user because device is completely transparent to BIOS and operating system (and power consumption is minimal). Figure 2. Example keylogger module We will use simple example of commercially available USB keylogger module (2010) intended for built-in applications. Used version has only 4MB internal memory for log but extended version provides SD card for log store (enough storage for almost the whole physical life of the keyboard). Log retrieval is activated by an activation shortcut, which switches keylogger into USB drive emulation mode and provides direct access to log storage (file). Figure 3. Log retrieval from the module Your task 1. Connect provided USB keyboard through cable with USB keylogger module. 2. Check that system recognizes keyboard (as the same as it is connected directly). 3. Simulate some work where you need enter sensitive data, e.g. create new TrueCrypt encrypted device, boot testing virtual machine and log in or try to enter some password in browser. 4. Switch to host system file explorer and press activation shortcut : 'K' + 'B' + 'S' key together. The keyboard should detach and you should see new virtual USB flash disk. 5. Investigate "log.txt" file on the disk and compare it with your work in step 3. 6. Please delete the "log.txt" so your colleagues will not see your "sensitive" data :-) Exercise II: Obtaining encryption key from VM memory image For most of the software-based disk encryption configurations the main encryption run on the main CPU, usually inside OS context (optionally with with HW acceleration like AES-NI instructions). In this operating mode the encryption key is present in RAM during the operation. The attacker can obtain image of the physical memory and try to search for encryption key. This image can be either obtained though software (we will use VirtualBox debugger function) or through hardware (Cold boot attack, i.e. recover memory content after force reboot/short powerdown or use FireWire hw debug functions). Theobtained key can be directly used for storage decryption (without password knowledge). Next problem is to identify candidate keys in memory image. This can be done by recognizing internal OS structures in memory or by a more generic approach, like reconstructing AES keys by identifying specific round keys [COLD]. Your Task 1. Prepare Virtual Machine with some active and mounted encrypted devices and understand the storage stack inside. You should have at least two encrypted and active disks. One is system encryption itself (LUKS/dm-crypt) and second will be TrueCrypt device created on /dev/sdb. a) Start and login to VM. b) Run TrueCrypt GUI (on launcher) and create new device directly on /dev/sdb (please use AES only for encryption algorithm). (Create volume within a partition/drive, standard volume, select device /dev/sdb, use AES.) c) mount device through TrueCrypt GUI and investigate used parameters (Volume Properties). Keep it mounted to investigate key in memory later. d) Investigate and understand storage stack, dump parameters about encrypted virtual devices. Use lsblk command to get the whole picture: So sda5 is your system encrypted partition, sdb is the TrueCrypt device. Check TrueCrypt device - note the header is encrypted so you cannot get information using blkid. Use cryptsetup TrueCrypt extension to get more info about device on-disk header: Now, try to display encrypted keys directly from kernel (superuser can display full device- mapper dm-crypt mapping table for active devices). e) Repeat the same exercise for LUKS device (/dev/sda5 mapped to sda5_crypt), just use luksDump command. Note LUKS has visible header on-disk. 2. While the VM is still running, obtain snapshot of memory core image. You can use Vbox_save_memcore.bat script which uses internal VirtualBox debugger to dump VM memory core (it is in fact ELF format dump, but it is enough for our use). 3. Analyze the memory core image with the provided aeskeyfind program. Note this program search for specific AES structures. (In reality you have key in memory more times but in different format, just think about screen buffer with text dumps executed in step 1.) 4. Compare possible encryption keys with information you obtained in step 1. See XTS encryption mode definition [XTS] and think why you see two separate AES keys for one device. References [COLD] Lest We Remember: Cold Boot Attacks on Encryption Keys https://citp.princeton.edu/research/memory/ [XTS] IEEE P1619™/D16 Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices (AES-XTS) http://grouper.ieee.org/groups/1619/email/pdf00086.pdf Exercise III: Revealing TrueCrypt hidden disk existence (CBC mode) The goal of this exercise is to show that old CBC mode in TrueCrypt is vulnerable to watermarking attack and that such attack could be used to reveal hidden disk existence just from ciphertext analysis.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages8 Page
-
File Size-